International travel: personal data needs “passports”, “visas” and “vaccinations” too

Today personal data travels instantly, and it is easy to forget the journey and the risks, but access to certain countries can be restricted without the proper paperwork, including the new SCCs. Is your personal data fit to travel?

The new SCCs passport

The main safeguard used to send personal data internationally, the Standard Contract Clauses (SCCs) have just been updated on 4 June 2021. Work will be needed to renew your personal data contract passport for it to travel.

Schrems’ visa

A little over nine years ago an Austrian law student by the name of Max Schrems was refused entry onto a transatlantic flight to the US for ‘national security’ reasons. It was believed the answer to this lay in Edward Snowden’s 2013 bombshell of the surveillance scope of the US government. Schrems launched a crusade against protected personal data crossing outside the borders of the EU, into the reach of the US government. In July 2020, the Schrems II decision invalidated the Privacy Shield safeguard between the EU and the US and made it clear that the SCCs, even the new ones, may not provide sufficient protection alone for personal data to travel. A passport and visa is not enough.

Transfer Risk Assessment vaccinations

Schrems II also highlighted that risk assessments of the journey may be required, to identify and implement extra measures needed, rather like assessing your inoculations.

Travel denied

European regulators are now using their enforcement powers to restrict data boarding proverbial transatlantic flights to the US. The French data protection authority (CNIL) has said that COVID-19-related health data being hosted within the EEA by US organisations may still be at risk of access by U.S. authorities. The Portuguese data protection regulator (CNPD) recently required the National Institute of Statistics (INE) to suspend its transfer of citizens’ personal data across the Atlantic on 12 hours’ notice, halting its operations. German data protection authorities seem to agree, having issued guidance, decisions invalidating transfers, and a set of questions that businesses should consider when sending personal data on its travels. The German Federal Government has been asked to provide certainty in the context of cloud services where personal data potentially travels internationally.

Organisations are rightly concerned. The solution?

Shoosmiths’ travel programme: personal data “passports”, “visas” and “vaccinations”: SCC+ and BCRs

Is it time to look at BCRs? Binding Corporate Rules are another safeguard for multi-national companies to transfer data sanctioned by a regulator

Shoosmiths’ SCC+ model is a comprehensive travel programme  with all the right paperwork and assessments, including the new SCCs, and taking into account the specific personal data journey to be undertaken

We’ll be discussing this with global privacy experts from the UK and US in our webinar Trading internationally? The new EU data protection SCCs explained on 23 June at 3pm GMT (7am PDT, 9am CDT, 10am EDT). To register your interest, please click here.


This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.



Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.